Arms Dealer Offers $1m for iPhone Exploits

Slack AliceSlogger, Infosecurity Magazine

Here’s a storyline straight out of James Bond: We have entered the era of million-dollar arms-dealing. And the weapon is an iPhone hack.

As the iPhone 6s hits the US market, cybersecurity weapons-dealer Zerodium has announced that it will reward $1m to anyone able to crack Apple’s just-launched iOS 9 operating system. It will pay up to three teams the full amount for working exploits that can compromise the system.

“Apple iOS, like all operating systems, is often affected by critical security vulnerabilities. However, due to the increasing number of security improvements and the effectiveness of exploit mitigations in place, Apple’s iOS is currently the most secure mobile OS,” the company said in a blog post. “But don’t be fooled, secure does not mean unbreakable, it just means that iOS has currently the highest cost and complexity of vulnerability exploitation and here’s where the Million Dollar iOS 9 Bug Bounty comes into play.”

Sooooooooooo…they want to make that upfront spend worth the bad guys’ while, in other words.

Well, yes and no. Zerodium was founded this past summer by Chaouki Bekrar, a well-known merchant of zero-day exploits formerly with Vupen. Like Vupen, Zerodium never reveals the vulns and associated exploits to the affected companies (Apple, in this case), and, instead, sells them to the highest bidder, with the expectation that they will be used. How they will be used is none of Zerodium’s concern; this is a purely mercenary business. A bit like shadowy NGOs and stateless entities dealing next-gen warheads to SPECTRE.

That said, the buyer could be on the right side of the fence; which could account for the lack of overt concern on the part of law enforcement and governments when it comes to this.

“All acquired security research is made available to our customers, which include both government organizations and Fortune 500 customers :-),” Bekrar told Fortune via email. “We cannot discuss financial information.”

Personally, I like to think that there’s a spy showdown going on behind the scenes, being played out in the corridors of cyberspace rather than in more traditional settings; say, grand hotels in Budapest, poker rooms in Monte Carlo, or on the slopes of the Matterhorn.

So far, Zerodium has brokered a slew of zero-days, mostly affecting web browsers like Internet Explorer, Chrome and Firefox for Windows, and Android. Bekrar said that it pays between $400,000 to $600,000 per month for vulnerability acquisitions, indicating a booming market.

Obviously, once out in the field, it’s impossible to prevent the malicious code from falling into the hands of oppressive regimes or hacking collectives looking to wreak havoc against good-guy interests. Consider Stuxnet, the worm developed by the US and Israel to attack Iran’s nuclear infrastructure; not too long after that successful campaign, Stuxnet and its derivatives showed up in attacks against our allies in the oil and gas industry.